1
Incoming! Medical Device Cybersecurity
Alerts on the Rise
Session 291, February 14, 2019
Juuso Leinonen, Senior Project Engineer, ECRI Institute
Chad Waters, Senior Cybersecurity Engineer, ECRI Institute
2
Juuso Leinonen
Has no real or apparent conflicts of interest to report.
Chad Waters
Has no real or apparent conflicts of interest to report.
Conflict of Interest
3
ECRI Institute Medical device cybersecurity
overview
Rising number of medical device security alerts
Challenges in responding to security alerts
Methods to prioritize medical device alerts
Recommendations
Agenda
4
1. Identify measurable changes in vendor reporting
of software and cybersecurity recalls and field
correction notices
2. Define key challenges faced by healthcare IT
and clinical engineering departments in
responding to cybersecurity recalls and notices
3. Formulate practical approaches to enable
facilities to effectively address threats and
vulnerabilities with medical devices
Learning Objectives
5
Independent, not-for-
profit research institute
Mission:
Improve patient safety,
cost effectiveness, and
quality of healthcare
ECRI Institute
7
ECRI’s Top Ten Health
Technology Hazards
8
2019 - #1. Hackers Can Exploit, Remote Access to Systems, Disrupting
Healthcare delivery
2018 - #1. Ransomware and Other Cybersecurity Threats
2017 - #6. Software Management Gaps Put Patients, and Patient
Data, at Risk
2016 - #10. Misuse of USB Ports Can Cause Medical Devices to
Malfunction
2015 - #9. Cybersecurity: Insufficient Protections for Medical Devices
and Systems
9
#1 Ransomware and
Other Cybersecurity
Threats to Healthcare
Delivery Can Endanger
Patients
10
Top 10 Health Technology Hazards
2019
10
11
ECRI Medical Device Cybersecurity
Increased member interest in
cybersecurity
Increase in problem reports
related to cybersecurity
Increase in vendor notifications
about cybersecurity
12
Alerts Tracker - Recall Management
System
13
0
50
100
150
200
250
300
350
400
450
Medical Device IT Alerts
ECRI AlertsTracker Database
14
0
10
20
30
40
2014 2015 2016 2017 2018
Medical Device Cybersecurity
Alerts
ECRI AlertsTracker Database
15
Cybersecurity Alerts Process
Triage incoming security notifications
ICS-CERT
Vendor Security Bulletins
ECRI member hospitals
Security researchers
ECRI Medical Device Security Team determines whether
additional clarification or guidance is needed
No- Publish as it is through ECRI Alerts Tracker
Yes- Initiate problem report investigation to determine
additional useful context or practical recommendations
Distribute security notifications through ECRI Alerts Tracker
16
Challenges in responding to security
alerts
Difficult to identify medical devices that are
impacted
Incomplete inventory is common
Insufficient details recorded in the asset
management system about software versions,
operating systems, and networking
Inventory may be lacking standardized
product and manufacturer names
One alert can impact entire product lines of
medical devices
17
Who is responsible for implementing the
remediation?
Medical device vendor
Clinical Engineering (CE)
IT
CE and IT collaboration continues to be a
challenge
Challenges in responding to security
alerts
18
Is update / patch available to address the security
concern?
Yes, available
Is vendor assistance required to apply the
mitigation?
Assistance from vendor field service technician
often required
What is the clinical workflow impact?
Equipment downtime estimate
Alternative device availability can reduce
impact
Challenges in responding to security
alerts
19
Is update available to address the security concern?
Not available
What is the vendor timeline for remediation?
Sometimes included in the security notice
Can be several months
Is a temporary mitigation / compensating controls
required?
Scalability is an issue with custom
compensating controls
Challenges in responding to security
alerts
20
Challenges in responding to security
alerts
How to effectively categorize the impact
and likelihood associated with an alert?
Standard framework can aid in the
assessment
21
How to prioritize medical
device security alerts?
22
Common Vulnerability Scoring System
(v3.0)
CVSS scores indicate the severity of a potential vulnerability
Range from 0-10 in increasing severity, scored based on the
following attributes
Rating
CVSS Score
Low
0.1
- 3.9
Medium
4.0
- 6.9
High
7.0
- 8.9
Critical
9.0
- 10.0
23
2018 analysis
30 medical device related advisories
14 different medical device vendors
130 different CVEs
Some vulnerabilities with only CVSS 2.0
score
34 CVEs in a single advisory
Some advisories contained groups of devices
/ product lines
ICSCERT Analysis
24
0
10
20
30
40
50
Low Medium High Critical
Vulnerability Severity (CVSS)
25
0
20
40
60
80
100
Adjacent Local Network Physical
Attack Vector
26
0
20
40
60
80
100
120
Confidentiality Integrity Availability
Classification of Vulnerabilities
High Low None
27
47
81
Attack Complexity
High Low
28
Assess the Risk - Likelihood
Very high Threat is almost certain, or more than 100 events
occur per year
High Threat is highly likely, or 10 to 100 events occur per year
Moderate Threat is somewhat likely, or 1 to 10 events occur
per year
Low Threat is unlikely, or an event occurs once every 1-10
years
Very low Threat is highly unlikely, or an event occurs less than
once every 10 years
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication80
0-30r1.pdf
29
Assess the Risk - Impact
Very high Multiple severe or catastrophic effects
High Severe or catastrophic:
severe degradation of organization mission capability, loss of ability to perform a
core function, major damage to assets, major financial loss, significant harm to
individuals involving death or threat to life
Moderate Serious adverse effect:
significant degradation in mission capability, without loss of ability to perform
core functions; significant damage to assets; significant financial loss; significant
but non-life-threatening harm to individuals
Low Limited adverse effect:
degradation in mission capability such that the organization can perform core
functions, but the effectiveness of those functions is reduced; minor damage;
financial loss; minor harm to individuals
Very low Negligible
30
Healthcare Specific Impacts
Patient safety risks
Delay to patient care, can result in patient
harm
PHI / sensitive information breaches
Financial risks
Risks to reputation
Environment of Use
Device
Criticality
Available Alternative
Devices
Amount of PHI
on Device (no.
of records)
High risk, including
OR,
ICU, trauma
Life
-
sustaining
No
clinically viable
alternative
5,000+
Medical/surgical floors, ED,
labor and delivery,
radiotherapy
, oncology
Therapeutic
Available alternative
devices have significant
drawbacks
500
-4,999
Physical therapy, radiology
Diagnostic
Available
alternative
devices are largely
equivalent
1
-499
Physician office, long
-term
care
Elective
Readily available
0
Impact Factors for Medical Devices
Overall Likelihood
Impact
Very Low
Low
Moderate
High
Very High
Very high
Very low risk
Low risk
Moderate risk
High risk
Very high risk
High
Very low risk
Low risk
Moderate risk
High risk
Very high risk
Moderate
Very low risk
Low risk
Moderate risk
Moderate risk
High risk
Low
Very low risk
Low risk
Low risk
Low risk
Moderate risk
Very low
Very low risk
Very low risk
Very low risk
Low risk
Low risk
Source: National Institute of Standards and Technology (NIST). Guide for conducting risk assessments. NIST
Special Publication 800
-30, Rev 1. 2012 Sep. Available from:
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800
-30r1.pdf.
Risk Matrix
33
Recommendations
Ensure complete inventory of medical devices
and related systems
Leverage a standard acceptance inspection
for medical devices for the initial record
Conduct review of records during periodic
preventive maintenance
Review accurate records during any repair
34
Software/firmware versions
Operating system
IP address
MAC address
Network configuration such as DHCP (Dynamic Host
Configuration Protocol)/static wireless configuration
Nature of data stored or transmitted (and magnitude of that data)
Authentication, authorization, and auditing methods
System owner
Criticality of care (life supporting, therapy delivery, diagnostic)
Age (product life cycle)
Recommended Inventory Data
Points
35
Recommendations
Designate a project owner/champion for medical device
security alerts
May be in Clinical Engineering and/or IT
Emerging role of Medical Device Security Specialist
Establish a process to review and respond to medical
device security alerts
Where to get the alerts?
ICS-CERT, Vendor, ISAOs, ECRI
Who to contact with the manufacturer?
Establish a list of medical device security contacts
36
Assess impact and likelihood to aid in
prioritization of security alerts
Characterize downtime impact to clinical
workflow
Establish standardized scalable compensating
controls when e.g., update is not available
Consider running table-top and hands-on training
exercises with scenarios that include unavailable
network-connected medical devices or systems
Recommendations
37
Summary
Medical device cybersecurity was ranked as #1
Health Technology Hazard by ECRI for 2019
Medical device cybersecurity alerts are on the
rise
Paramount to allocate sufficient resources and
establish processes to manage the rising medical
device security alerts
38
Questions?
Chad Waters
Senior Cybersecurity Engineer /
Senior Project Officer
ECRI Institute
cwaters@ecri.org
Juuso Leinonen
Senior Project Engineer
ECRI Institute
jleinonen@ecri.org